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Abstract 


The use of unmanned aircraft in national airspace has been 
characterized as the next great step forward in the evolution of 
civil aviation. To make routine and safe operation of these 
aircraft a reality, a number of technological and regulatory 
challenges must be overcome. This report discusses some of the 
regulatory challenges with respect to deriving safety and 
reliability requirements for unmanned aircraft. In particular, 
definitions of hazards and their classification are discussed and 
applied to a preliminary > functional hazard assessment of a 
generic unmanned system. 


1 Introduction 

Military interest in unmanned aircraft systems (UASs) dates back to the early 1900’s with the 
experimental development of the Curtiss/Sperry "Flying Bomb" in 1915 by the United States 
(US) Navy, and the US Army’s development of the Kettering "Bug" in 1918 (ref. 1, 2). From 
those humble beginnings, unmanned aircraft have become an integral component in military 
operations today. As of September 2004, some twenty types of unmanned aircraft, large and 
small, have flown over 100,000 total flight hours in support of military operations, especially in 
Afghanistan and Iraq (ref. 3). There is little doubt that unmanned aircraft are transforming 
military operations. 

Buoyed by the success in the military sector, UAS vendors are looking to civil and 
commercial applications for their aircraft, especially applications characterized as dull, 
dangerous, or dirty. A wide-range of applications such as pipeline inspection, border control, fire 
fighting, agricultural management, communications relay, and air-freight operations seem ideally 
suited for unmanned aircraft. Many believe that the time is rapidly approaching when unmanned 
aircraft will be commonplace in our national airspace system (NAS), and that now is the time for 
the formulation of governing standards. 

A comprehensive safety argument for unmanned aircraft will be necessary for formulating 
these standards. That safety argument will differ from that of conventional aircraft in at least two 
fundamental aspects. First, unlike manned aircraft, an unmanned vehicle 1 can be lost without 
necessarily endangering any human life. Second, because the pilot is not on board the vehicle, 
reliance will be placed on automation to a much greater degree than in conventional aircraft — 
especially in unusual situations. The NAS already accommodates some degree of autonomous 
operation, as described by Hadden (ref. 4): 

Except during take-off and the final stages of landing, the modem commercial 
aircraft is routinely being flown by computers, monitored by human pilots. The 
systems in the latest generation of commercial aircraft commonly have fault 
monitoring and diagnostic functions which can cope with many failure conditions 
without pilot intervention. Automatic landing including flare and ground roll has 
been commonplace for many years. When automation of the take-off segment of 


1 The terms unmanned aircraft and unmanned vehicle are used interchangeably to refer specifically to an 
air vehicle that does not have an on-board crew. For this paper, we are not considering such aircraft with 
passengers on board. Conversely, manned aircraft refers to an air vehicle that does have an on-board 


crew. 



flight also becomes common it may be the norm for airliners to complete their 
missions without operation of the primary flying controls by a human pilot at any 
stage. 

It is expected that automatic systems for civil aircraft will become ever more 
capable and demonstrate increasing reliability. As a consequence the severity of 
the effect of a flight crew becoming incapacitated whilst airborne will tend to 
diminish. Whilst the remoteness of the pilot/controller of a UAV raises major 
issues for aircraft operations in terms of air traffic management, compliance with 
the Rules of the Air etc, it can be seen that the regulatory process for 
airworthiness certification is already proven to be able to cope with high levels of 
automation. 


Technological advances, such as reliable command and control, and sense and avoid 
capability, will play a key role in enabling access to civil airspace. Equally important, and 
perhaps more difficult, is development of the regulatory framework that will provide the guidance 
necessary to assure safety. This report focuses attention on one part of the regulations necessary 
for establishing the airworthiness of a UAS, namely standards for reliability and safety. 

The broad issue, informally speaking, is: how reliable does a UAS need to be to operate 
routinely and safely in civil airspace? Does such a system need to meet the most stringent 
reliability requirements, such as those levied on commercial transport (Part 25) aircraft? Or, is 
comparison with general aviation aircraft (Part 23) more appropriate? Answering these questions 
for a UAS is non-trivial. Unmanned aircraft in operation today range in size from vehicles 
capable of being hand-launched to vehicles with a wingspan comparable to transport aircraft, with 
fixed and rotary wings, and with radically different altitude and endurance capabilities. This 
report does not attempt to answer the reliability question associated with each distinct type of 
aircraft, but instead covers a few fundamental underpinnings of reliability and safety 
requirements that will be needed to eventually provide an answer. This report presents initial 
thinking about definitions of hazards and their classification for UASs, and how those definitions 
could be applied in a functional hazard assessment of a UAS. This work is preliminary and 
intended to encourage debate and discussion. 

Thi s report is organized as follows. Section 2 provides a brief overview of existing 
airworthiness guidance for manned aircraft with respect to regulating hazards. Section 3 
discusses how terminology used to identify and classify hazards may be adapted for a UAS. In 
particular, new definitions for hazard classifications are proposed. Next, section 4 describes the 
hazard assessment process used in civil aviation, and how that process may be tailored to address 
unique aspects of a UAS. A functional decomposition of a generic UAS is described in section 5. 
The decomposition is an organized listing of the high-level functions required for the safe and 
routine flight of a generic UAS. This functional decomposition is used for conducting a 
preliminary functional hazard assessment (FHA), that is the subject of section 6. Because of its 
size, the FHA is included as an appendix. Section 7 provides preliminary thoughts on 
environmental protection from high intensity radiated fields and single event upset. Finally, a 
summary and concluding remarks are given in section 8. 

2 Regulations Governing Design Hazards for Manned Aircraft 

An intricate system of rules and regulations governs the design and operation of aircraft within 
the NAS. Title 14 of the Code of Federal Regulations (14 CFR, Chapter I) contains the Federal 
Aviation Regulations (FARs) (ref. 5) for the certification process for various product types: FAR 
Part 25 for large transport airplanes, FAR Part 23 for small airplanes, FAR Part 27 for small 
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helicopters, FAR Part 29 for large transport helicopters, FAR Part 3 1 for manned free balloons, 
and FAR Parts 33 and 35 for engines and propellers, respectively. The regulations promote 
safety of flight by setting minimum standards for the design, materials, workmanship, 
construction, and performance of aircraft, aircraft engines, and propellers as may be required in 
the interest of safety. 

Current regulations define no category of aircraft that would apply rationally or completely to 
UAS design and certification. A reasonable assertion from which to start developing such 
regulations is that unmanned aircraft should pose no greater risk to persons or property in the air 
or on the ground than that presented by equivalent manned aircraft (ref. 4). Working from that 
assertion, two related issues come into play: hazard classification and likelihood of failure. Both 
are factors in evaluating risk. 

FAR Sections 23.1309 and 25.1309 deal with hazards to equipment, systems, and installations. 
The regulations require justification that all probable failures or combinations of failures of any 
system will not result in unacceptable consequences. The justification is typically in the form of 
analysis that shows that the probability of a failure or combination of failures which could cause a 
significant hazard is acceptably low. The FAA recognizes five hazard categories: catastrophic, 
hazardous, major, minor, and no effect. Figure 1 shows the general relationship expected 
between likelihood of failure and the hazard categories (ref. 6). 


Figure 1. Relationship Between Likelihood of Failure and Flazard Category 
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For decades, there was no formal distinction in treatment of hazards among aircraft types. For 
example, prior to 1999, single-engine general aviation aircraft were subject to virtually the same 
regulatory considerations as large jet transports with respect to definitions of allowable hazards 
(ref. 7). In 1999, however, the FAA acknowledged that imposing the same standards on transport 
and general aviation aircraft was inconsistent with the actual risks. That acknowledgement was 
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made in FAA Advisory Circular (AC) 23.1309-1C (ref. 6), that redefined many risks for small 
aircraft. As stated in AC 23. 1309- 1C, 

Incorporation of [standards developed for transport airplanes] into Part 23 
resulted in a significant increase in equipment reliability standards. That is, they 
required much lower probability values for failure conditions than the existing 
operational safety history of different airplane classes. Current data indicates that 
these probability values were not realistic. Since most aircraft accidents are 
caused by something other than equipment failures, increasing the reliability of 
the installed systems to try to improve safety will have little positive effect on 
reducing aircraft accidents when compared with reducing accidents due to pilot 
error. 

In accord with this, AC 23.1309-1C established a multi-tiered certification approach for four 
different classes of Part 23 aircraft: the smallest craft having a single piston engine to the largest 
being a multiengine commuter jet. Different criteria for probability of failure per flight hour were 
prescribed for each class, based on historical evidence from the airline industry’s existing safety 
record. Table 1 compares current requirements for hazard probabilities between Part 23 and other 
FAR Parts. The probability numbers in table 1 represent only random hardware failures per flight 
hour. 


Table 1. Relationship of Hazard Categories to Probability of Failure for 
Different Categories of Aircraft 


Hazard Classification 

Requirements for Probability of Failure 
Per Flight Hour 


Part 23 

Parts 25, 27, 29, and 33 

Catastrophic 

10" 6 to 10" 9 , plus no single 
functional failure 

1 0" 9 , plus no single 
functional failure 

Hazardous 

O 

O 

o 

ltr 7 

Major 

nr 4 to ltr 5 

nr 5 

Minor 

10' 3 

>10' 5 

No Effect 

None 

None 


FAA AC 23. 1309- 1C explains the rationale for these probability numbers for Part 23 aircraft 
as follows: 

Historical evidence indicates that the probability of a fatal accident in restricted 
visibility due to operational and airframe-related causes is approximately one per 
ten thousand hours of flight for single-engine airplanes under 6,000 pounds. 
Furthermore, from accident databases, it appears that about 10 percent of the total 
was attributed to Failure Conditions caused by the airplane’s systems. It is 
reasonable to expect that the probability of a fatal accident from all such Failure 
Conditions would not be greater than one per one hundred thousand flight hours 
or 1 x 10' 5 per flight hour for a newly designed airplane. It is also assumed, 
arbitrarily, that there are about ten potential Failure Conditions in an airplane that 
could be catastrophic. The allowable target Average Probability Per Flight Hour 
of 1 x 10" 5 was thus apportioned equally among these Failure Conditions, which 
resulted in an allocation of not greater than 1 x 10' 6 to each. The upper limit for 
the Average Probability per Flight Hour for Catastrophic Failure Conditions 
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would be 1 x 10, which establishes an approximate probability value for the 
term “Extremely Improbable.” Failure Conditions having less severe effects 
could be relatively more likely to occur. Similarly, airplanes over 6,000 pounds 
have a lower fatal accident rate; therefore, they have a lower probability value for 
Catastrophic Failure Conditions. 

A similar derivation is given for the probabilities assigned for commercial transport aircraft 
(ref. 8), except that the probability of a fatal accident due to airplane system failures is assumed to 
be less than 10, with approximately 100 potential failure conditions that could be catastrophic, 
and a mean flight duration of one hour — giving the 10‘ 9 per flight hour requirement. This 
derivation becomes problematic for a UAS because little relevant historical data exists on failure 
of unmanned aircraft in civil applications 2 . Existing data from military operations (ref. 9) 
indicates that UAS reliability is about two orders of magnitude worse than the aircraft with the 
worst documented reliability, namely Part 23 Class 1 aircraft. Introducing a UAS with such low 
reliability into the NAS has the potential for creating unacceptable hazards. 

Assuming that the public will expect new aircraft systems to be no more dangerous than 
current systems, specifically that a UAS should pose no greater risk than that presented by 
equivalent manned aircraft, then understanding potentially catastrophic failure conditions of a 
UAS becomes important to establishing system reliability requirements. But, what does 
catastrophic failure mean for a UAS? Answering this question for a UAS will help set the stage 
for airworthiness requirements, as well as system design and equipment requirements. 

The next section examines terminology for describing failure conditions for a UAS. 

3 Defining Hazard Classifications for a UAS 

Hazard categories are defined in a number of regulatory documents. For example, the FAA 
System Safety Handbook (ref. 10) contains a general set of definitions, AC 23.1309-1C offers 
definitions specific for Part 23 aircraft, and AC 25. 1309- 1A (ref. 11) offers definitions for 
transport aircraft. The various definitions are similar, but not exactly the same. For the purposes 
of this paper, AC 23. 1309- 1C was chosen as a model for developing regulatory wording for 
hazards associated systems and equipment for a UAS. This choice was made, at least in part, 
because many unmanned aircraft of interest are similar in weight and performance characteristics 
to Part 23 aircraft. Also, it was assumed that definitions for UASs would more likely gain 
acceptance if they were similar to existing definitions. Hence, the work here in defining hazard 
classifications for a UAS started with the definitions of the five hazard classifications from AC 
23.1309-1C, as shown in table 2. 

The fundamental distinction for unmanned aircraft, of course, is that there are no people on 
board the aircraft. Hence, one approach to revising the definitions specific to UASs would be to 
delete references to the on-board flight crew and occupants. Although this may seem reasonable 
at first, this approach would obfuscate important collateral issues. One such issue is that 
regulations which aim to protect aircraft occupants by preventing crashes might also protect third 
parties (people in other aircraft and people on the ground). Most safety analyses, however, do not 
address this fully. Another issue concerns mitigating hazards. In conventional aircraft, the on- 
board pilot is willing and able to minimize or eliminate hazards to other aircraft or persons or 
property on the ground. That ability may be significantly different for a remote or autonomous 
pilot. Revised hazard definitions for UASs should consider these distinctions. 


2 There may be a small amount of data on civilian-like missions such as surveillance operations conducted 
by the Coast Guard. But, the context is insufficiently similar to be useful. 
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The definitions for hazard categories actually start with a definition of failure conditions, 
which include the specific definition of the terms catastrophic, hazardous, major, minor, and no 
safety effect. AC 23.1309-1C gives the following definition: 

Failure Conditions: A condition having an effect on either the airplane or its occupants, or 
both, either direct or consequential, which is caused or contributed to by one or more failures or 
errors considering flight phase and relevant adverse operational or environmental conditions or 
external events. Failure Conditions may be classified according to their severity as follows: [as 
shown in table 2], 


Table 2. Definitions of Hazard Categories for Part 23 Aircraft 


No Safety Effect: Failure Conditions that would have no affect [s/c]on safety (that is, Failure Conditions that 
would not affect the operational capability of the airplane or increase crew workload) 

Minor: Failure Conditions that would not significantly reduce airplane safety and involve crew actions that are 
well within their capabilities. Minor Failure Conditions may include a slight reduction in safety margins or 
functional capabilities, a slight increase in crew workload (such as routine flight plan changes), or some physical 
discomfort to passengers or cabin crew. 

Major: Failure Conditions that would reduce the capability of the airplane or the ability of the crew to cope with 
adverse operating conditions to the extent that there would be 

a significant reduction in safety margins or functional capabilities; 
a significant increase in crew workload or in conditions impairing crew efficiency; or 
a discomfort to the flight crew or physical distress to passengers or cabin crew, possibly including injuries. 
Flazardous: Failure Conditions that would reduce the capability of the airplane or the ability of the crew to cope 
with adverse operating conditions to the extent that there would be the following: 

1 . A large reduction in safety margins or functional capabilities; 

2. Physical distress or higher workload such that the flight crew cannot be relied upon to perfonn their tasks 
accurately or completely; or 

3. Serious or fatal injury to an occupant other than the flight crew. 

Catastrophic: Failure Conditions that are expected to result in multiple fatalities of the occupants, or 
incapacitation or fatal injury to a flight crewmember normally with the loss of the airplane. 

Notes: (1) The phrase “are expected to result” is not intended to require 100% certainty that the effects will 
always be catastrophic. Conversely, just because the effects of a given failure, or combination of failures, could 
conceivably be catastrophic in extreme circumstances, it is not intended to imply that the failure condition will 
necessarily be considered catastrophic. (2) The term “Catastrophic” was defined in previous versions of the rule 
and the advisory material as a Failure Condition that would prevent continued safe flight and landing. 


Revising the definition of “failure condition”, without the classification definitions, is 
relatively simple. For this particular term, removing the reference to occupants and replacing 
“airplane” with “UAS” are easy modifications. It is important to keep in mind that by UAS, we 
mean all essential systems for safe flight including the aircraft itself, any external components of 
the system, such as a ground control station, and the command, control, and communication li nk s 
between the external components and the aircraft. With that in mind, a failure condition for a 
UAS could be defined as: a condition having an effect on the UAS, either direct or 

consequential, which is caused or contributed to by one or more failures or errors considering 
flight phase and relevant adverse operational or environmental conditions or external events. 

Modifying the definitions for each hazard classification is more challenging, especially the 
definition for catastrophic. For this study, we made two assumptions: (1) the severity 
classifications used for a UAS should be consistent with those used for manned aircraft, and (2) 
changes to existing definitions should be minimized as much as possible. To that extent, the 
considerations for revising the definitions included thinking about the effects of failure on three 
entities: the UAS itself, the flight crew of the UAS (which likely resides in a ground control 
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station), and third parties (any people external to the UAS either on the ground or in other 
aircraft). These three considerations are comparable to those in AC 23.1309-1C for the effects of 
failure on the airplane, flight crew, and occupants. 

Most of the proposed changes to the definitions deal with references to passengers and cabin 
crew. One change is to use the term “flight crew” in place of “crew”. Here, the term “flight 
crew” is defined as individuals authorized to command and control the UAS. Although the flight 
crew for a UAS would likely be located in a ground control station, issues of workload and 
physical distress, injury, incapacitation, or death are still relevant. Implicit in this discussion is 
the assumption that a person or persons are responsible for control of the vehicle — completely 
autonomous vehicles are not considered. Table 3 shows proposed changes to the original AC 
23. 13 09- 1C definitions in table 2 for all of the hazard categories, except catastrophic. Additions 
to the AC 23.1309-1C definitions are indicated in bold italics font, and deletions are indicated by 
striking through the original text. 


Table 3. Proposed Revisions to the Definitions of Four Hazard Categories 


No Safety Effect: Failure Conditions that would have no effect on safety (that is, Failure Conditions that 
would not affect the operational capability of the airplane or increase flight crew workload). 

Minor: Failure Conditions that would not significantly reduce airplane UAS safety and involve flight 
crew actions that are well within their capabilities. Minor Failure Conditions may include a slight 
reduction in safety margins or functional capabilities or a slight increase in flight crew workload (such 
as routine flight plan changes) , or some physical discomfort to passengers or cabin crew. 

Major: Failure conditions that would reduce the capability of the airplane UAS or the ability of the 
flight crew to cope with adverse operating conditions to the extent that there would be: 

a significant reduction in safety margins or functional capabilities; 

a significant increase in flight crew workload or in conditions impairing flight crew efficiency; 

a discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including 

injuries; or a potential for physical discomfort to persons 
Hazardous: Failure Conditions that would reduce the capability of the airplane UAS or the ability of the 
flight crew to cope with adverse operating conditions to the extent that there would be the following: 

1 . A large reduction in safety margins or functional capabilities; 

2. Physical distress or higher workload such that the UAS flight crew cannot be relied upon to 
perform their tasks accurately or completely; or 

3. Serious or fatal injury to an occupant other than the flight crew. Physical distress to persons, 
possibly including injuries. 


Revising the definition of catastrophic failure posed more of a challenge. A unique concern 
for a UAS, especially within the FAA, is the persistent loss of the ability to control the flight path 
of the aircraft. The worst case assumption is that loss of the aircraft will normally follow at some 
point after permanent loss of control. Unmanned aircraft have the unique ability to potentially 
provide controlled loss of the aircraft, without loss of life; for example, controlled flight 
termination at a pre-designated crash location. The key factor is control, without which no 
guarantees can be made about safe flight termination. 

Because FAA recognizes the seriousness of lost-link situations, current authorizations for a 
UAS to fly under a Certification of Authorization (ref. 12) or Experimental Certificate 
predominantly limit operations to unpopulated areas, and, in many cases, require airspace 
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restrictions to reduce potential interference of UAS with other aircraft. Procedures are typically 
put in place such that “should loss of link occur, the UAS pilot must immediately alert air traffic 
control (ATC) and inform the controllers of the loss of control link. Information about what the 
aircraft is programmed to do and when it is programmed to do it is pre-coordinated with the 
affected ATC facilities in advance of the flight so that FAA can take the appropriate actions to 
mitigate the situation and preserve safety.” (ref. 13) 

With these thoughts in mind, the following revised definition for “catastrophic” was proposed: 


Catastrophic: Failure conditions that are expected to result in multiple fatalities of the occupants, or 
incapacitation or fatal injury to a flight crewmember normally with the loss of the airplane, one or 
more fatalities or serious injury to persons, or the persistent loss of the ability to control the flight 
path of the aircraft normally with the loss of the aircraft. 

Notes: (1) The phrase “are expected to 1681111” is not intended to require 100% certainty that the effects 
will always be catastrophic. Conversely, just because the effects of a given failure, or combination of 
failures, could conceivably be catastrophic in extreme circumstances, it is not intended to imply that 
the failure condition will necessarily be considered catastrophic. (2) The term “Catastrophic” was 
defined in previous versions of the rule and the advisory material as a Failure Condition that would 
prevent continued safe flight and landing. 

In addition to the definitions of severity levels, the advisory circular provides additional 
guidance about the relationship between the severity levels and the effects of failure on the 
airplane, flight crew, and occupants. Some changes to that guidance are essential for a UAS. 
Table 4 shows the relationships specified in AC 23.1309-1C, with proposed changes highlighted. 
Additions to the original text are indicated in bold italics font, and deletions are indicated by 
striking through the text. 


Table 4. Relationship Between Severity Levels and Effects for a UAS 


Classification 
of Failure 
Conditions 

No Safety 
Effect 

Minor 

Major 

Hazardous 

Catastrophic 

Effect on 
Airplane 

UAS 

No effect on 
operational 
capabilities or 
safety 

Slight reduction 
in functional 
capabilities or 
safety margins 

Significant reduction 
in functional 
capabilities or safety 
margins 

Large reduction in 
functional 
capabilities or 
safety margins 

Normally with 
hull loss 

uncontrolled 
loss of aircraft 

Effect on 

Inconvenience 

Physical 

Physical distress to 

Serious or fatal 

Multiple fatalities 



passengers 

including injuries 

occupant 

Effects 
External to 
UAS 

No effect 

No effect 

Potential for 
physical discomfort 

Physical distress, 
possibly 

including injuries 

Potential for 
one or more 
fatalities 
and/or severe 
injuries 

Effect on 
UAS Flight 
Crew 

No effect on 
flight crew. 

Slight increase in 
workload or use 
of emergency 
procedures 

Physical discomfort or 
a significant increase 
in workload 

Physical distress or 
excessive workload 
impairs ability to 
perform tasks 

Fatal injury or 
incapacitation 


One obvious change involves modifying the guidance for the effect on airplane to be guidance 
for the effect on UAS. As shown in table 4, the effect on UAS is very similar to the effect on 
airplane, except that catastrophic failure for a UAS is concerned with uncontrolled hull loss. An 




uncontrolled hull loss, for example, may result from a permanent lost-link situation. On the other 
hand, the automatic destruction of the UAS, in a safe circumstance, or controlled flight into a 
designated crash location may be considered examples of acceptable controlled hull loss. 

The effect on flight crew is proposed to be the same, regardless of whether the flight crew 
supports a manned or unmanned aircraft. However, for unmanned aircraft, the effect on flight 
crew may not necessarily be tightly coupled with the effect on a UAS. For example, a system 
failure with a catastrophic consequence to the UAS, may not be catastrophic for the flight crew, 
although that would likely be the case with a manned aircraft. For example, an uncontrolled loss 
of a UAS would not likely cause fatal injury or incapacitation to the ground crew. On the other 
hand, hazards limited to the ground station, such as a fire, may have catastrophic consequences 
for the crew, but not for the vehicle. 

The final change is that guidance for effect on occupants was deleted, and new guidance for 
effects external to a UAS was added. This new row considers the potential effect of a failure to 
persons on the ground or in other aircraft. The effects specified here are specific to physical 
discomfort, injury or death to third parties. As shown in table 4, the severity of each potential 
effect has been increased with respect to third parties, as compared with the effect on occupants. 
For example, potential for physical discomfort is considered to be major for third parties, but only 
minor for aircraft occupants. The rationale for increasing the severity is that the third parties are, 
in effect, innocent bystanders, whereas aircraft occupants assumed some level of risk by boarding 
the aircraft. 

Table 4 does not include guidance about effects on air traffic management (ATM). Such 
guidance is not included in AC 23.1309-1C. But, considering the potential effect on ATM may 
be worthwhile because unmanned aircraft may increase demand on various elements of the civil 
ATM system, particularly surveillance and communications. Ideally, we would not want 
unmanned aircraft to place a burden on the system greater than the burden imposed from an 
equivalent number of manned aircraft. “In essence, the function of maintaining safe separation, 
passing instructions and providing efficient tactical management of traffic flow should be no 
more labour intensive, or less safe.” (ref. 14) This may require the adaptation of additional form s 
of safety analysis such as described in RTCA DO-264, Guidelines For Approval Of The 
Provision And Use Of Air Traffic Services Supported By Data Communications, (ref. 15) to 
supplement the traditional aircraft oriented techniques. For the purposes of this report, however, 
only aircraft oriented techniques are explored. 

It is important to note that the hazard definitions presented in this section are intended to be a 
starting point for thinking about the effects of failures. Further modifications will likely be 
warranted as potential UAS failures and their effects are better understood. 

4 Applying Functional Hazard Assessment to a UAS 

Given a starting set of hazard definitions, a next step is to see how they might apply in the 
assessment of UAS hazards. Functional hazard assessment (FHA) is a systematic, comprehensive 
examination of functions to identify and classify failure conditions of those functions according 
to their severity. SAE ARP 4761 (ref. 16) provides guidance for the FHA process used in civil 
aviation. 
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According to SAE ARP 4761, the FHA process: 

• provides the top-level design criteria for a system 

• determines the depth of further analysis 

• allows for derivation of the system architecture 

• is independent of hardware and software 

The FHA process, in general, is intended to be iterative and becomes more defined and fixed 
as a system evolves. The output of the FHA is an identification of the potential failure modes, 
associated hazards, and their criticalities. This output is the starting point for the generation and 
allocation of safety requirements of a system. 

Some special considerations are worth noting when applying FHA to a UAS. Traditional FHA 
for manned aircraft is concerned with the functions on board the vehicle and its systems. For a 
UAS, functions integral to safe operation, such as command and control functions resident with a 
remote pilot, may not necessarily reside on the vehicle. An FHA of a UAS should include all 
functions integral to the safe operation of the vehicle, regardless of where those functions reside. 
Though, where a function resides may affect the possible failure conditions and their 
consequences and severities. 

It is also worth noting that the functions described in our FHA process were for a generic 
UAS, as opposed to a specific UAS platform. Although there is considerable variation among 
UAS platforms, there presumably is a core set of functions that most aircraft, including unmanned 
aircraft, will need to operate routinely and safely within the NAS. For this study, we used 
colloquial tenets of piloting; namely, to fly the plane {aviate), fly it in the right direction 
{navigate), and, state your condition or intentions to other people {communicate) to provide a 
rudimentary framework for organizing functions of a UAS. A fourth category, mitigate hazards, 
was also added to the framework. This category is intended to capture those actions necessary to 
(1) stay clear of hazards, including other air traffic, flight or ground path obstructions, and 
adverse weather conditions, and (2) manage contingency situations that may arise. Managing 
contingencies (or mitigate in general) is not typically specified as a separate function for manned 
aircraft, but is included as part of other functions. This category was included here to highlight a 
class of functions that are performed implicitly by the on-board pilot in a manned aircraft, but 
may be performed by automation in a UAS. As such, new hazards may arise. The core set of 
functions used in our FHA is given in a functional decomposition of the generic UAS discussed 
in the next section. 

A final consideration worth noting relates to the types of hazards applicable to a UAS. For 
manned aircraft, hazards associated with the safety of the crew and passengers are the primary 
concern. For a UAS, hazards involving impact with people or property on the ground and impact 
with other aircraft are the primary concern. Reliance on a remote pilot, as well as on-board 
automation, also introduces different considerations for failure conditions. 

In this section, fundamental aspects of the FHA process are described in brief, along with 
specific tailoring of the process to accommodate unique aspects of unmanned aircraft. 

4,1 FHA Fundamentals 

The FHA process described in this report is based on the safety assessment methodology 
specified in SAE ARP 4761. Figure 2 shows a top-level view of the system safety assessment 
process described in that document. For this project, the “Aircraft FHA” shown in figure 2 is 
actually a “UAS FHA”. 
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Figure 2. System Safety Assessment Processes from SAE ARP 4761 
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According to SAE ARP 4761, the objectives of the FEIA are to consider functions at the most 
appropriate level and to identify failure conditions and the associated classifications while 
considering both loss of functions and malfunctions. The FF1A should identify the failure 
conditions for each phase of flight when the failure effects and classifications vary from one 
flight phase to another. The FHA should also establish derived safety requirements needed to 
limit the function failure effects which affect the failure condition classification. The safety 
requirements may include such things as design constraints, annunciation of failure conditions, or 
recommended flight crew or maintenance actions. 

The FHA process is a top down approach for identifying the functional failure conditions and 
assessing their effects. This assessment proceeds through the following steps: 

a. identifying all functions associated with the system under study (given in this report in the 
functional decomposition) 

b. identifying and describing failure conditions associated with these functions, considering 
single and multiple failures in normal and degraded environments 

c. determining the effects of the failure condition 

The essential prerequisite for conducting an FHA is a description of the high level functions of 
the system. For this study, those functions were captured in the UAS functional decomposition 
presented in Section 5. This functional decomposition was based on functional requirements for 
a generic UAS as specified in a functional requirements document developed under NASA’s 
Access 5 program (ref. 17). It is important to note that a preliminary FHA is performed before 
the functions have been allocated to equipment, procedures or people; that is, it considers what 
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the proposed system will do, rather than how the functions may be implemented. Preliminary 
FHA results can be used to support function allocation. 

Other aspects of the UAS are important to the FHA process in addition to the functions 
themselves. These aspects include a description of operational scenarios (how the system will be 
used and in what environment) and relevant regulatory policy and guidance. For this project, 
much of that information is given in the Access 5 Concept of Operations (ref. 18). The final 
output of the FHA process is a comprehensive description of the system to be assessed. Here, 
that description is mostly embodied in the functional decomposition. 

Once the system functions are defined, the next step is to identify possible failure modes or 
conditions for each function, and what the consequences of those failures might be. Hazards are 
the results of failures within the system, the combination of failures and interactions with other 
systems, and external events in the operational environment. To identify potential hazards, it is 
necessary to consider the various ways each individual function of the system can fail (that is the 
failure mode). Given each failure mode, the consequence of that failure should be described. 
Consequences of failures may include effects on the functional capability of the UAS, air traffic 
management operations, and the operator; e.g., workload. Figure 3 shows the template used in 
this project for documenting the functions, failure conditions, their consequences, and criticality 
classification. 


Figure 3. FHA Template 
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Much of the FHA process as described in SAE ARP 4761 can be applied directly to 
assessment of a UAS. A few areas, however, need special consideration due to the unique 
aspects of a UAS, namely, failure conditions and phases of flight. 

4.2 Failure Conditions for a UAS 

Two approaches to enumerating failure conditions of a UAS were considered. The first 
approach is shown in the appendix of AC 23.1309-1C, and the second approach is taken from 
examples in SAE ARP 4761. The example FHA for Class 1 general aviation aircraft in Appendix 
A of AC 23. 1309- 1C identifies failure conditions in three categories: (1) total loss of function, 
(2) loss of primary means of providing function, and (3) misleading and/or malfunction without 
warning. Implicit in the example FHA is that the pilot is ultimately responsible for redundancy 
management. That is, the pilot appears to be responsible for managing the switch between 
primary and secondary functions. This view of the system also implicitly assumes a systems 
architecture that may not adequately capture the complexities of highly automated UAS. 

SAE ARP 4761 takes a slightly broader approach to failure conditions, identifying failure 
conditions specific to a single abstracted aircraft function. In an example from Appendix L of 
that document, failure conditions for the function “Decelerate Aircraft on Ground” are as follows: 

• Loss of all deceleration capability 

• Reduced deceleration capability 

• Inadvertent deceleration 

• Loss of all auto stopping features 

• Asymmetrical deceleration 
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These failure conditions reveal an implied classification: there are two different cases of 
function degradation, and two types of malfunction. None of these failure conditions is 
architecture specific (except perhaps for the existence of an “auto stopping” capability). 

For the preliminary UAS FHA, the functional failure conditions were listed in a manner 
similar to the example given in Appendix L of SAE ARP 4761. The functional failure condition 
classification considered the following potential effects of failures on function capabilities: 

• Total loss of function 

- Detected and undetected 

- Example includes: loss of all deceleration capability 

• Partial loss of function/degraded functional capability 

- Detected and undetected 

- Generic and specific 

- Examples include: reduced deceleration capability (generic loss), loss of all auto 

stopping features (specific loss), loss of accuracy for navigation information, and reduced 
control authority 

• Malfunction (including misleading information) 

- Detected and undetected 

- Generic and specific 

- Examples include: inadvertent deceleration (specific malfunction), asymmetric 

deceleration (specific malfunction), asymmetric thrust, unintended control action (e.g., 
in-flight thrust reversal), and persistent offset from correct navigation information 


As in the SAE ARP 4761 example, some functions may have several types of degradation and 
several potential malfunctions. Consequently, each function may have several rows in the FHA, 
and different functions may have a different number of failure conditions to consider than other 
functions. In the FHA, each row identifies some degradation of function combined with flight 
phase and degree of system knowledge about the failure, and a specific hazard classification (i.e., 
minor, major, hazardous, or catastrophic). 

4.3 Phases of Flight for a UAS 

The last aspect of the FHA process worth mentioning is the phase of flight when a failure 
occurs. In some cases, a particular function may be used throughout the entire flight; while in 
other cases a function may only be used during one phase of flight. According to SAE ARP 
4761, “the FHA should identify the failure conditions for each phase of flight when the failure 
effects and classifications vary from one flight phase to another.” In some cases, the phase of 
flight for a particular function may be “all” if the same failure conditions are consistent 
throughout all flight phases. 

A typical FHA includes common phases of flight such as taxi, take-off, climb, enroute, 
approach, and landing. For the purposes of this study, only those failure conditions relevant to 
the enroute phase of flight were considered, due specifically to time limitations on the project. 
Follow-on work might consider extending the FHA for the other phases of flight. 

An interesting phase of flight to consider for future work, and one that might be unique to a 
UAS, is loitering. A number of potential commercial applications involve this phase of flight 
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where the UAS remains within a relatively small local area for an extended period of time. It 
may be worthwhile to examine whether there are any unique failure conditions to be considered 
in a loitering phase of flight. 

The next section covers the functional description of a generic UAS and the process used for 
organizing the functions. 

5 Functional Decomposition of a Generic UAS 

For this study, a functional decomposition refers to a hierarchical organization of all the 
functions of a system. A simple tree structure is used to represent the basic relationship between 
the functions. The decomposition proceeds from the top (in our case, UAS) to various levels of 
functions. When decomposing functions, it is not always obvious when to stop. Following the 
guidance in AC 23.1309-1C, the decomposition continues until “the lowest defined level of a 
specific action. . .that, by itself, provides a complete operational capability” is reached. There are 
several key points in this criteria. One is that a function refers to a specific action. There are 
many legitimate requirements that are not functions. For instance, a UAS may be required to 
comply with certain FARs, but this is not a function because a function must perform some 
action. Another point is that functions must include a complete operational capability. This 
means that a function must be observable at the operational level. The effect of this is that the 
functional decomposition cannot proceed indefinitely. For example, the calculation of navigation 
accuracy violations is not, by this definition, a function. Conveying navigation state to the flight 
crew is a function because it is observable at the operational level. In addition, the guidance of 
SAE ARP 4754 (ref. 19) states that a function includes its interface (human or machine). 

5.1 Purpose of Functional Decomposition 

Hazard analysis is used to answer questions about the safety of a system. These analyses 
presume that if all hazards have been adequately addressed, then the system will be safe. 
Therefore, a major issue with hazard analyses is ensuring that all hazards have been captured. 
The basic technique used to ensure coverage is one of partitioning the hazards. 

The FHA approach, described throughout this document, first partitions the system into 
functions, then assesses the hazards associated with each function. Because functions have a 
smaller scope than the system as a whole, it is assumed that if all hazards for all functions have 
been captured, then all hazards for the system have been captured 3 . If all hazards for each 
identified function have been addressed, the question then arises, have all the functions been 
identified? 

The functional decomposition attempts to answer this question. The functional decomposition 
is a structured way to identify all functions in the system. As should be expected, the functional 
decomposition is not guaranteed to identify all functions, but it is a tool to help that effort. 

5.2 The SAE ARP 4761 Approach to Functional Decomposition 

Examples in SAE ARP 4761 served as a model for separating the functions of a system. 
Figure 4 shows the SAE ARP 4761 view of a functional decomposition. 


3 The validity of this assumption should not be taken for granted. It is typically very hard to identify 
hazards that arise from situations where there are small deviations from expected behavior. 
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Figure 4. Example Function Decomposition from SAE ARP 4761 



Figure 4 provides a guide for the granularity of the functions in a functional decomposition. 
The notation in this figure is as follows: the boxes followed by diamonds indicate that the 
decomposition of that function continues, but is not shown; boxes followed by a circle indicate 
the lowest level functions that cannot be decomposed further. In this example, actions such as 
controlling thrust, controlling flight path, and determining orientation are relatively high-level 
actions that can be refined further, whereas the function “decelerate aircraft on the ground” is the 
lowest level action that is operationally visible and is not decomposed further. 

The process described in SAE ARP 4761 assumes that the functional decomposition is for a 
specific vehicle. For this example, decelerating aircraft on the ground is the lowest-level 
operational action. On other aircraft, there may be multiple ways for pilots to decelerate the 
aircraft on the ground such as braking, parachute, or thrust reversers. For this alternate vehicle, 
“decelerate aircraft on the ground” would not be the lowest-level action and this function would 
need to be decomposed further. 

The functional decomposition presented here is intended to be as generic as possible, while 
capturing the significant functions necessary for safe flight of any UAS. A number of aircraft 
function lists from major transport and general aviation aircraft venders were reviewed in the 
development of the decomposition to provide a check for consistency and completeness of the 
function list. Because of the wide variation in UAS types and operations, no single functional 
decomposition of a UAS can possibly cover the range of functions of all vehicles. The functional 
decomposition in this report leans more towards those unmanned aircraft that are similar to 
conventional transport or general aviation aircraft. 

5.3 UAS Functional Decomposition 

The full functional decomposition is relatively large, with 69 functions at the lowest level 
under the major functions of aviate, navigate, communicate, and mitigate. Figure 5 shows a top 
level view of these functions. 
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Figure 5. Top-level of the Functional Decomposition 
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Aviate includes not only actions involved in flying the aircraft, but also actions for moving the 
aircraft on the ground, providing command and control, and managing sub-systems. Navigate 
includes actions involved in the management and execution of a flight plan. Communicate 
provides functionality for the communication between the UAS, ATC and other aircraft. All 
actions associated with the command and control link to the vehicle are contained within the 
Aviate category. Mitigate includes actions such as avoiding traffic, avoiding ground objects, 
avoiding weather or other types of environmental effects, and handling contingencies. The 
motivation for this particular top-level decomposition is to capture, as a category, each of the 
basic actions that pilots perform in a manned aircraft. 

The Mitigate function is not typically included as a top level aircraft function. The common 
saying is that when pilots are taught to fly, they are taught to aviate, navigate, and communicate. 
By explicitly calling out a mitigate function, the hope was to capture a category of functions that 
in many aircraft are performed by the pilot, but will likely be performed by automation in a UAS. 
To help ensure these functions are adequately emphasized for discussion and debate, the Mitigate 
category was created. Figures 6 through 1 1 give the complete decomposition under each of the 
four major functions. 
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Figure 6. Aviate Functions 
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Figure 7. Navigate Functions 



Figure 8. Communicate Functions 
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Figure 9. Mitigate Functions 
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One important point about functions in these categories is that they often rely on the existence 
of other functions in other categories. For instance, the functions within Navigate perform tasks 
such as finding the next waypoint and determining guidance commands. However, the actual 
moving of control surfaces and changing propulsion settings to reach that waypoint are handled 
by the functions within Aviate. In a similar way, the Mitigate function relies on functions within 
Communicate, Navigate, and Aviate. As an example, handling contingencies may require 
communication to alert ATC, navigation to fly to a contingency waypoint, and aviation to move 
control surfaces. 

5. 3. 1 Low-level Function Template 

In the early stages of developing the decomposition, a definite pattern emerged. This pattern, 
included five basic actions related to a given function, which may be executed sequentially or 
concurrently (or some combination thereof). To help provide consistency in terminology, a 
template for those actions or low-level functions was developed, as shown in Figure 11. 

The first action is to convey any state that is relevant to the function. This action includes all 
aspects of conveying the state: sensing, communicating, and displaying. Originally, we used the 
term “display;” which is common in function lists for manned aircraft. This term was rejected, 
however, because it could imply a design decision that the information is to be visually presented 
to the operator. Because we cannot assume that all unmanned aircraft will present the 
information to the operator (visually or otherwise), a more generic term was chosen: convey. For 
example, conveying the state of a navigation function would involve sensing and communicating 
information about latitude, longitude, and altitude (and perhaps other quantities). 


Figure 11. Low-level Function Template 
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The determine function means gathering and selecting the appropriate high level command. 
For instance, the determine command may involve gathering flight plan information for a 
navigation command. 

The produce function involves the translation of a strategic goal into a tactical command. One 
example is the behavior of a traditional flight control system: high-level attitude commands are 
translated into low-level flight control surface commands. 


20 





The execute function refers to physically maneuvering the vehicle in some way. All execute 
functions are listed in the Aviate category. 

The final function in the template is to convey the command status. This function is intended 
to address the difference between command and execution; that is, what is commanded and what 
is executed may be different. The command status informs the operator or perhaps some 
diagnostic system about what was commanded and the actual effect of the commanded action. 

5.3.2 An Example of Low-level Functions 

To demonstrate how the template was used, consider function 4.3 Manage Contingencies, as 
shown in figure 12. In this example, no decision has been made about where (control station or 
vehicle) or who (operator or automation) manages contingencies. 


Figure 12. Manage Contingencies 
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Convey the system status (function 4.3.1) means gathering information about the state of the 
UAS related to contingencies, such as the communication status. Determine the contingency 
command (function 4.3.2) means analyzing the system to determine what contingencies have 
occurred. Because there may be multiple failures, determining what is actually wrong with the 
UAS may not be trivial. Producing a mitigation command (function 4.3.3) means deciding which 
actions should be taken to respond to the current contingencies. Prioritize the mitigation 
commands (function 4.3.4) attempts to reconcile that sometimes one event will cause multiple 
contingencies. Some of these contingencies may be very important and need to be dealt with 
right away, whereas other contingencies can be dealt with later. Finally conveying the status of 
the mitigation commands (function 4.3.5) means that the operator (and perhaps automation) will 
want to know what mitigation actions have taken place. For instance, if the fire detectors are 
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going off and fire extinguishers have been deployed, then that could mean the fire is too extensive 
for the fire extinguishers to extinguish, that the fire detector sensor is faulty, or that the design of 
the fire detection system is faulty. There could be other explanations, as well. In any case, it is 
important that the operator knows that the fire extinguishers have been deployed so that time is 
not wasted attempting to deploy them again. 

Notice that in this example, the execute function is not listed. This is because executing a 
mitigation command may require the resources of aviate, navigate, and communicate. In 
addition, a “prioritize” function was added which was not part of the functional template. For 
managing contingencies, the act of prioritizing contingency commands was considered a 
significant function whose failure could have safety consequences. 

6 Functional Hazard Assessment Overview 

The preliminary FHA discussed here and shown in the appendix is not, in any way, intended 
to represent a complete, validated FHA. Significant effort was put into correct and complete 
identification of potential UAS failure conditions and characterization of their severity, for single 
failure events in the enroute phase of flight only. Additional work remains to be done for other 
phases of flight and multiple failure events. 

To understand the FHA, it is helpful to know some of the ground rules and assumptions used 
in the FHA process. Rule number one is “do no harm”. The safety goal is to avoid any UAS- 
initiated decrease in the safety of the NAS. As a result, failure condition criticality is determined 
by its effect on people on the ground or in other aircraft. The latter case includes stress or injury 
to occupants of other aircraft as a result of an evasive maneuver. Damage to material assets is 
out-of-scope, unless it affects human safety. 

The following assumptions were made in the development of the preliminary FHA. For the 
purposes of this study, the FHA shall: 

• assume no specific architecture or design 

• make no presumption about where a function resides 

• consider the enroute flight phase only. Because of the Access 5 focus on high-altitude 

aircraft, the enroute phase of flight was assumed to be at flight level 430 or above, where air 

traffic control is responsible for separation. 

• consider single failures only 

• assume current air traffic control operations, procedures and technologies (that is, concepts 

such as “free flight”, 4-D trajectory, or fully data-linked, autonomous concepts of operation 

are not considered) 

• use the FHA table format from SAE ARP 4761, with minor variations, as described in section 
4.1 

• consider failure condition classifications as described in section 4.2 

6.1 Assignment of Failure Condition Severities 

A significant step in the FHA process is assigning criticality or severity levels to each of the 
failure conditions that are defined for each function. The definitions for the failure condition 
severities are given in Section 3. Here we discuss how to interpret and apply those definitions for 
specific failure conditions. The operational consequence and corresponding severity is obvious 
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for some failure conditions, while others are controversial or difficult to classify. When 
controversy does arise, it is usually due to a couple of factors: 

• natural tension between the desire to be conservative when it comes to safety, but on the other 
hand, not to be so conservative as to impose unreasonable requirements 

• sensitivity of the outcome of a given failure condition to operational or environmental 
circumstances 

A “catastrophic” assessment for a particular failure condition may appear to impose an 
onerous burden on product development, not only in terms of the hardware and software design 
and equipment costs, but also in the certification costs. This is due to the fact that the more 
severe a failure condition is, the less likely it must be proved to be. For example, some 
catastrophic failures are assigned a frequency of occurrence somewhere between 10‘ 6 and 1CT 9 per 
flight hour 4 , depending on aircraft category, whereas major failures are assigned in the 10" 4 to 10' 5 
range. Reaching such levels for catastrophic failures has traditionally been very costly, and may 
even be prohibitive, especially for a small UAS manufacturer. 

During and after the subsequent architecture development and system design phases, the 
manufacturer will have ample opportunity to address the concerns by various means. One option 
is to produce an architecture and a design that includes effective redundancy management and 
mitigation strategies. Based on this or other strategies, the supplier may petition the FAA to 
acknowledge lower levels of hazard categories in specific areas of concern, that is, from 
architectural mitigations for certain failure conditions formerly labeled as catastrophic. 

For this study, we defined and documented a method for assigning a severity to any particular 
failure condition. This method was intended to help clarify why particular severity assignments 
were made, and also to facilitate consistency for assigning severities. 

A worst-case, single-failure assessment strategy was used to assign a severity to each failure 
condition. Failure conditions that are not the worst case may be included to better describe 
system behavior in certain situations; however, the worst case was always captured. Only single 
failures were considered in the FF1A due to time limitations on the project 5 . For this discussion, it 
is assumed that the function, flight phase, and failure condition have already been determined. 
The operational consequence and the severity classification are developed together, using the 
following steps. 

Step 1. The first consideration is a creative process of imagining the operating conditions in 
which the failure occurs. The hazard severity definitions disallow the assumption of 
perfect conditions. Therefore, if the consequence is made worse by any of the following 
adverse operating conditions, a more severe classification should be given: 

a. Flight crew is busy with another task. 

b. Weather (visibility, winds, turbulence) conditions are bad. 

c. Traffic conditions are heavy. 

Recall that failures are not included in this list of adverse operating conditions. At this 
phase in the analysis, multiple failures were not considered. 


4 It is important to recognize that target reliability figures specific for UAS have not been developed. 
Determining reasonable estimates for such numbers requires extensive analysis beyond that given in this 
report. Ultimately, regulatory authorities will determine the final values. 

5 Multiple failure conditions should be considered in future phases of the analysis. 
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Step 2. The assessment proceeds by assessing the effects on three entities: the UAS itself, the 
flight crew of the UAS, and any people external to the UAS, as shown in table 4 in 
section 3. The specific evaluation of each of these effects is described in the three steps 
that follow; however, the evaluation is usually easier if the effects on flight crew and 
people external to the UAS are considered first. Because this is a worst case analysis, 
when the effects on one entity are determined, effects on other entities are only relevant if 
they have a more severe consequence. 

Step 2a. The assessment on the UAS is performed in two dimensions: safety margins 
and operational capabilities. Safety margin refers to the gap between expected 
use and an unsafe condition. Safety margins are added to mitigate the normal 
uncertainties involved in aviation systems including: design, manufacture, 
flight crew abilities and training, sensor inaccuracies, etc. By definition, some 
safety margin can be lost, and the UAS will continue to be safe. Safety 
margins include separation standards between vehicles, between a vehicle and 
the ground, between a vehicle and weather, etc. 

If a failure condition causes a complete loss of safety margins (normally 
involving a loss of the vehicle), then this condition is designated catastrophic. 
An example of this is if the UAS can no longer be controlled. If a failure 
condition has no effect on safety margins, then this condition is labeled “no 
effect.” A significant reduction of safety margins means some condition 
where — absent other failures and all but the most extreme adverse operating 
conditions — it is reasonably expected that safe flight and landing can occur. 
Such a failure condition is labeled major. Even though a UAS which 
experiences one of these failures is expected to be safe, the safe use of the UAS 
may result in damage to the UAS. For instance, a vehicle may run off the end 
of the runway into a field and have the landing gear collapse. If the effect of 
the failure condition causes more than a significant reduction of safety margin, 
but does not cause a complete loss of safety margin, then this condition is 
designated hazardous. If a failure condition has more than no effect but less 
than a significant effect (as just described), then this failure condition is labeled 
minor. 

Loss of operational capabilities is important to safety because as operational 
capabilities are lost, possible actions which can mitigate unsafe situations are 
eliminated. Therefore, if a failure condition causes loss of all operational 
capabilities — normally including loss of the vehicle — then this condition is 
designated catastrophic. If the failure condition causes no loss of operational 
capabilities, then this condition is labeled no effect. A significant loss of 
operational capabilities means that a failure condition causes cascading failures 
of only a few less critical functions such that, at most, one mitigating action is 
lost 6 . Such a failure condition is designated major. If the effect on the UAS of 
the failure condition causes more than a significant loss of operational 
capability, but does not cause a complete loss of operational capabilities, then 
this condition is designated hazardous. If a failure condition has more than no 
effect but less than a significant effect (as just described), then this failure 
condition is labeled minor. 


6 Communication with air traffic control is an example of one mitigating action. 
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Step 2b. Next, an assessment of the effects on the flight crew is performed. If the crew 
is no longer able to perform their assigned tasks (due to either incapacitation or 
death), then the event that caused this is catastrophic. Other effects on the 
flight crew are examined in two dimensions: physical effects and workload 
effects. In terms of physical effects on the flight crew, if any member of the 
flight crew sustains an injury that would normally require significant medical 
attention (for example, a broken leg), then this is considered physical distress 
and is designated hazardous. If any member of the flight crew sustains an 
injury that normally does not require medical attention (for example, scrapes 
and bruises), then this effect is considered physical discomfort and is 
designated major. 

In terms of workload, if the expected result from a failure condition is that any 
member of the flight crew is unable to perform one of their important 7 tasks, 
then this condition is considered hazardous. If the failure condition requires 
any member of the flight crew to slightly increase their workload, then this 
failure condition is classified as minor. If the workload of any member of the 
flight crew is more than slightly impacted, but not impacted enough to preclude 
them from performing tasks, then this failure condition is designated major. 
When assessing workload, a flight crew of average training and ability is 
assumed. It is immaterial that the presence of a flight crew of exceptional 
ability or training would result in a less severe event. 

Step 2c. Finally, an assessment of the effects on anyone who is not a member of the 
flight crew is performed. This includes people on board other aircraft, people 
located at airports, and the public at large. If anyone is killed or severely 
injured (that is, requiring an extended hospital stay), then this failure condition 
is classified as catastrophic. If anyone sustains an injury that normally requires 
significant medical attention (for example, a broken leg), then this is 
considered physical distress and is designated hazardous. If anyone sustains an 
injury that does not normally require medical attention (for example, scrapes 
and bruises), then this effect is considered physical discomfort and is 
designated major. 

Step 3. Because this is a worst-case analysis, the most severe consequence of these three effects 
is captured in the FHA. 

Step 4. The hazard classification from Step 3 is compared to the classification of other failure 
conditions for this function. Is the classification uniform? Is it clear that more severe 
failure conditions have more severe operational consequences and therefore, more severe 
classifications? 

Step 5. As an initial validation, the example FHA in appendices A and B of AC 23.1309-1C 
should be consulted to determine if a similar function and failure condition exists. If so, 
then the severity classification should be the same, or a clear reason should exist as to 
why the classification is different. 

6.2 Example FHA Entries 

The preliminary FHA to date is extensive, and is thus relegated to the appendix. In this 

section, several examples of FHA entries are discussed to illustrate how the FHA was done. In 


7 Not all required tasks are of equal importance or complexity. 
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each example, the record number for the FHA entry is given, along with the name of the function, 
specific failure condition under consideration, assigned criticality level, phase of flight, and 
remarks as appropriate. These examples are chosen from the functions 1.1 Control Flight Path 
(under 1. Aviate), and 4.1 Avoid Collisions and 4.3 Manage Contingencies (under 4. Mitigate). 
Several possible failure conditions are described for each function. The examples are taken 
directly from the FFIA in the appendix. 

6.2.1 Example from the “Execute Flight Path Command” Function 

The first example is based on function 1.1.4 Execute Flight Path (FP) Command, under 
Aviate. This function involves using the flight path command to change the physical state of the 
vehicle. Tables 5 presents two entries in the FFIA for this function. 


Table 5. FFIA Example: Execute Flight Path Command 


Number 

Function 

Flight 

Phase 

Failure Condition 

Operational 

Consequence 

Classification 

Remark 

1.1. 4.a 

Execute 

FP 

command 

enroute 

Loss of function 
with soft landing 
flight termination 
function 

Vehicle will not 
be controllable; 
landing will be 
somewhat 
controllable. 

hazardous 

Execution of a 
soft landing 
function assumes 
that people will 
not be killed or 
seriously injured. 

1.1. 4.b 

Execute 

FP 

command 

enroute 

Loss of function 
without soft landing 
flight termination 
function 

Vehicle will not 
be controllable. 

catastrophic 



In both of these failure modes, the vehicle is unable to execute a flight path command in the 
enroute phase of flight. This situation means the vehicle is uncontrollable. By Step 2a of section 
6.1.1, a failure mode that results in an uncontrolled vehicle is designated catastrophic. In record 
number 1.1. 4. a, the failure condition assumes the existence of some type of function that will 
“gently” end the flight. Because of this mitigating action, the hazard classification for this failure 
mode is lowered from catastrophic. This mode is designated hazardous because there has been a 
reduction in safety margins such that “safe flight and landing” cannot be reasonably assured. 

6.2.2 Example from the “Detect Air Traffic” Function 

The next example is based on the detect air traffic function, which is function 4. 1.1.1 in the 
functional decomposition. This function is the first step in any “sense and avoid” function. Table 
6 gives the FHA entry of three failure conditions for this function. Each of these failure modes 
has been assigned a hazard classification of “major.” 

One might imagine that if the UAS is unable to detect air traffic, then there is the possibility 
that collisions will result; and, therefore this failure mode should be designated catastrophic. 
However, in the enroute flight phase, the vehicle is in class A airspace where ATC has the main 
responsibility for separation. In this case, it is assumed that ATC is functioning normally, with 
situational awareness of the UAS and other air traffic. If the potential for conflict arises, it is 
assumed that ATC would vector the UAS or other aircraft as needed to mitigate the conflict. In 
this phase of flight, there is the reasonable expectation that safe flight and landing can still occur. 
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In other phases of flight, especially where there is reduced separation, a different severity 
classification may be justified. 


Table 6. FHA Example: Detect Air Traffic 


Number 

Function 

Flight 

Phase 

Failure 

Condition 

Operational Consequence 

Classification 

Remark 

4.1.1. l.a 

Detect air 
traffic 

enroute 

Total loss 
of function 

Possibility of conflict with 
another aircraft. However, 
assumption of being in Class 
A airspace under IFR means 
that ATC will provide 
separation. 

major 


4.1 . 1 . 1 .b 

Detect air 
traffic 

enroute 

Intruder is 
"detected" 
when none 
is there 
(false 
alarm) 

Possibility of loss of control 
and/or conflict with another 
(real) aircraft. Could result in 
unnecessary avoidance 
maneuver that endangers 
another aircraft. 

major 

Hazard 
severity 
assigned per 
FAA practice 
for manned 
aircraft 

4.1.1.1.C 

Detect air 
traffic 

enroute 

Intruder is 
not 

detected 
when there 
is a real 
threat. 

Possibility of conflict with 
another aircraft. If both 
aircraft are being tracked by 
service provider and time 
permits, ATC will attempt 
to warn one or both aircraft 
to avoid collision. 

major 

Hazard 
severity 
assigned per 
FAA practice 
for manned 
aircraft 


6.2.3 Example from the “Determine Contingency Command” Function 

This example is based on function 4.3.2 Determine Contingency Command, which is a sub- 
function of 4.3 Manage Contingencies. Table 7 shows two FHA entries of various failure 
conditions for this function. 


Table 7. FHA Example: Determine Contingency Command 


Number 

Function 

Flight 

Phase 

Failure 

Condition 

Operational 

Consequence 

Classification 

Remark 

4.3.2.a 

Dctennine 

contingency 

command 

enroute 

Loss or 
malfunction 
when C2 
link is up. 

Flight crew/UAS will 
not be able to initiate a 
contingency. Since C2 
link is up, vehicle is 
still controllable. 
Significant loss of 
safety margin results. 

major 

Situations where this 
failure has more dire 
consequences 
involve other 
systems failing. 
These multiple- 
failure scenarios 
must be dealt with 
later. 

4.3.2.b 

Determine 

contingency 

command 

enroute 

Loss or 
malfunction 
when C2 
link is 
down. 

Flight crew/UAS will 
not be able to initiate a 
contingency. Since C2 
link is down, the 
vehicle is 
uncommanded. 

catastrophic 
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These failure conditions are predicated on whether the command and control (C2) link is up or 
down. The reason for this distinction is that a transient loss of the C2 link is considered a normal 
part of operation of the vehicle and not a failure. For example, a banking turn may shield the 
antenna and cause the link to be temporarily lost. The manage contingencies function is normally 
only used when another failure has occurred. In many cases, the failure of this function in this 
functional group only becomes dangerous when it is being used; that is, when a failure in some 
other function has occurred. These circumstances would mean that multiple failures have 
occurred. Because this FHA only covers single failure conditions, the operational consequences 
listed in table 7 only reflect the failure to the determine contingency command without any other 
functional failures. 

6.3 Summary Statistics 

Even though the preliminary FHA does not cover multiple failures or all phases of flight, it is 
interesting to examine a few statistics. The functional decomposition shows 69 leaf nodes, which 
equates to 69 different functions to which the FHA process was applied. Figure 13 shows the 
total number of failure conditions by the four major categories in the functional decomposition. 


Figure 13. Failure Condition Totals, by Functional Category 
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As shown in figure 13, the majority of potential failure conditions fall under the Aviate or 
Mitigate functions. Out of a total of 132 failure conditions described in the FHA, 49 of them are 
under Aviate and 52 of them are under Mitigate. The remaining failure conditions are almost 
evenly split between Navigate and Communicate. Figure 14 presents the same data, with detail 
regarding the number of failure conditions per each severity level. 
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Figure 14. Failure Condition Severities by Major Functional Category 
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As shown in figure 14, the majority of failure conditions with catastrophic and hazardous 
consequences are found in the Aviate and Mitigate functions. Catastrophic failure conditions are 
less prominent in Navigate and Communicate. It is important at this stage to keep in mind that 
only single failures have been considered in the FF1A. The ratios for the various severity levels 
may change as multiple failure events and other phases of flight are considered. 

In this assessment, twenty-six potentially catastrophic failure conditions were identified, 
considering only single failures in the enroute phase of flight. An interesting observation to make 
at this point is how the number of catastrophic failure conditions for a generic UAS compares 
with those numbers assumed for commercial transport (Part 25) aircraft and for general aviation 
(Part 23) aircraft. According to AC 23.1309-1C, there are ten catastrophic failure conditions 
assumed for a general aviation aircraft (covering single and multiple failures over all phases of 
flight); and there are 100 catastrophic failure conditions assumed for a commercial transport 
aircraft according to AC 25. 1309-1 A. While recognizing that these are broad generalizations, 
preliminary indications are that the number of potential catastrophic failure conditions for a 
generic UAS will be greater than the number for general aviation aircraft. Flow close the estimate 
will be to commercial transport aircraft depends on further assessment of failure conditions in all 
phases of flight. 

7 Electromagnetic Considerations 

As discussed in Section 2, FAR Parts 23.1309 and 25.1309 specify that equipment, systems 
and installations must be designed to ensure that they perform their intended functions under any 
foreseeable operating condition. In particular, because unmanned aircraft do not have an on- 
board pilot, they will necessarily rely on electronic components for safe operation. Therefore, 
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foreseeable operating conditions must include the electromagnetic effects on safety-relevant 
electronic components. In particular, FAR 23. 1309 subpart (e) states 

In showing compliance with this section with regard to the electrical power system and to 
equipment design and installation, critical environmental and atmospheric conditions, 
including radio frequency energy and the effects (both direct and indirect) of lightning 
strikes, must be considered. 

This statement formalizes the regulation in which electromagnetic effects, including high 
intensity radiated electromagnetic fields (HIRF) must be considered and appropriate guidelines 
must be followed. Due to the high altitude flight profile of some unmanned aircraft, 
consideration should also be made for single event upset (SEU) effects. The following 
subsections provide a brief discussion of issues relevant to HIRF and SEU for a UAS. 

7.1 HIRF Considerations 

High intensity radiated electromagnetic fields are created by transmissions from high-power 
radio emitters such as radio and television broadcast stations, radars, and satellite uplink 
transmitters. The emitters may be ground-based, ship-borne, or airborne. Although these 
transmissions can have serious effects on electronic equipment, engineering and design methods 
to protect against HIRF effects are well documented and understood. Shielding cables and 
bulkhead connectors from spurious electromagnetic emissions is a common practice. Metal 
enclosures surrounding electronic circuits (e.g., Faraday cages) usually provide sufficient 
protection against HIRF. 

The FAA requires testing of aircraft electronic systems, in accordance with the procedures 
outlined in RTCA DO-160E, Environmental Conditions and Test Procedures for Airborne 
Equipment, (ref. 20) to guard against possible interruptions, erroneous operation, or loss of 
function due to HIRF exposure. A UAS flying similar mission profiles to fixed wing, manned 
aircraft will be exposed to the same HIRF environment and therefore should be tested to the same 
standards. UAS mission profiles that include long loiter times may increase the duration of 
exposure to HIRF; however, current FAA guidelines do not consider exposure time as part of the 
certification process. UAS mission profiles that require flight close to the earth, more closely 
matching the rotorcraft flight profiles, should be tested to the rotorcraft standards of DO-160E. 
Very low altitude flying aircraft may encounter an even harsher HIRF environment than typical 
rotorcraft missions and thus may require more stringent guidelines. Electronic payloads 
operating aboard UAS platforms that can interfere with critical systems may also need to comply 
with FAA radio frequency emission and susceptibility guidelines outlined in section 21 of the 
DO-160E document. 

7.2 Single Event Upset Considerations 

Single event upset phenomena are the result of cosmic ray interactions with the atmosphere, 
and occur more frequently at higher altitudes. These interactions can produce a number of decay 
products, including atmospheric neutrons that can intercept and corrupt the operation of 
semiconductor devices. A particle that strikes a processor at just the wrong place and time can 
cause it to latch-up. The most critical SEU sensitivities in modem aircraft systems occur with 
memory devices. 

SEU is of particular concern for unmanned aircraft that fly high altitude and long endurance 
missions (ref. 21, 22). High altitude aircraft would be expected to encounter more frequent SEU 
than aircraft flying at lower altitudes. Long mission times increase exposure to SEU, as well. 
Finally, because there is no on-board pilot, a UAS relies on electronic components for safety 
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critical functions and these electronic components have grown more susceptible to SEU as 
integrated circuit geometries have decreased. Therefore, the design of high altitude or long- 
endurance aircraft must account for SEU effects to achieve acceptably safe and reliable UAS 
operations. 

Approaches exist for mitigating HIRF and SEU effects, including shielding, fault tolerant 
architectures, and error detection and correcting schemes. The eventual development of “1309” 
regulations for unmanned aircraft will clearly need to address HIRF and SEU effects as part of 
the expected operating environment. Further research may be required to establish the analysis 
and testing methods for electronic systems, beyond those already prescribed in DO-160E, 
necessary to assure safe operation of a UAS in adverse environments. 

8 Summary 

In recent testimony before Congress, Nicholas Sabatini, FAA Associate Administrator for 
Aviation Safety stated that the “development and use of unmanned aircraft (UAs) is the next great 
step forward in the evolution of aviation.” (ref. 13) This step, however, involves overcoming 
significant challenges with respect to developing the technology and regulatory infrastructure 
necessary for integrating unmanned aircraft safely into the NAS. A notable challenge for the 
regulatory infrastructure involves defining safety and reliability requirements necessary for 
providing assurance that a UAS poses no greater risk to persons or property in the air or on the 
ground than that presented by conventional aircraft. 

This report discusses some of the basic considerations necessary for setting requirements for 
UASs consistent with those in current FAR paragraphs “1309”. These considerations include 
definitions of hazards and their classification for unmanned aircraft. New definitions for the five 
standard hazard classes (catastrophic, hazardous, major, minor, and no effect) were proposed, 
with rationale given for deviation from existing definitions. In particular, the definition of 
“catastrophic” was modified to deal with concerns about loss of control situations. 

The proposed definitions for hazard classification were applied in a preliminary functional 
hazard assessment of a generic UAS. The preliminary FHA identified failure conditions for a 
generic UAS model, for single failure events occurring in the enroute phase of flight. Much of 
the purpose of conducting the preliminary FHA was to help explore potential hazards unique to 
unmanned aircraft and how those hazards could be classified. 

The revised hazard definitions and preliminary FHA are intended only as very initial steps in 
thinking about regulating the hazards that a UAS will pose to the NAS. Further exploration is 
necessary to better understand potential UAS failures and their effects on remote flight crews and 
communications, as well as the effect on the air traffic management system. Understanding these 
effects is essential to establishing a truly reasonable basis for setting reliability and safety 
standards for unmanned aircraft. 
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Appendix: UAS Preliminary Functional Hazard Assessment 
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1.2.4. a Execute GP Command enroute Any malfunction none no effect 
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1.3.4.b Execute AGT Command enroute Inadvertent deployment Major structural and propulsion system catastrophic This failure mode is 

of thrust reversers failures irrelevant if a UAS does 

not have retractable 
thrust reversers. 




1.3.4.C Execute AGT Command enroute Inadvertent landing Vehicle's performance changes major Structural problems 

gear deployment significantly should be considered for 

a specific UAS. If a 
UAS does not have 
retractable landing gear. 
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Maintain Command and enroute Degraded C2 data link UAS may make an unpredictable catastrophic 

Control during all phases of function resulting in maneuver resulting in uncontrolled crash 

flight incorrect signal possibly causing injury and/or death. 
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2.2.1. a Determine flight plan enroute Total loss of function Mission will be delayed until flight- no effect This presumes that this 

(detected) planning capability can be restored. function refers only to 

the pre-flight phase of 
flight planning. 
Consequences of the 







2.2.2.C Determine next waypoint enroute Next way point is Potential conflict with other aircraft or major Consequences could be 

incorrectly determined adverse environmental conditions. more severe in a high- 

Monitoring by ATC will provide safety traffic density 

backup if anomalies in flight path are environment, 

noticed in time. This constitutes a 
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2.3.c Produce navigation command enroute Incorrect navigation Potential conflict with other aircraft or major Consequences could be 

command is produced adverse environmental conditions. more severe in a high- 

Monitoring by ATC will provide safety traffic density 

backup if anomalies in flight path are environment, 

noticed in time. This constitutes a 
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4. 1.1.2. a Track air traffic enroute Total loss of function Possibility of conflict with another major 

aircraft. 

However, assumption of being in Class 
A airspace under IFR means that ATC 

will provide separation. 
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4. 1.1. 4. a Determine corrective action enroute Total loss of function Possibility of conflict with another major 

aircraft. However, assumption of being 
in Class A airspace under IFR means 
that ATC will provide separation. 
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4.2.1.a Detect adverse environmental enroute Total loss of function Could lead to loss of control of UAS AV hazardous 
conditions or operation of the UAS AV outside of 

performance envelope. Possibility of 
conflict with another aircraft or 
encounter with ground or ground 
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Convey system status enroute Reporting failure when Flight crew/UAS will believe the UAS minor 

there is none is malfunctioning when in fact it is not. 

Flight crew/UAS may make a diversion 
based on this false information. Flight 
crew has a slightly increased workload. 
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4. 3. 4. a Prioritize mitigation command enroute Any failure when C2 The most important mitigation major The expectation is that 

link is up. command will not be used and the flight all mitigation commands 

crew/UAS know about this. Since C2 that have been produced 

link is up, vehicle is still controllable. A will be executed, just in 

significant loss of safety margin results. a different order from 
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4.3.5.b Convey status of commands enroute Undetected loss of System successfully formulates and hazardous 

function executes a mitigation command, the 

flight crew/UAS does not know what 
happened, and is unaware that they do 
no know. Flight crew/UAS may initiate 
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